Port Knocking and Other Uses of 'Recent Match'

TomEastep

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
“GNU Free Documentation
License”.

Note

The techniques described in this article were superseded in
Shorewall 4.5.19 with the introduction of Shorewall Events.

Note

The feature described in this article require 'Recent Match' in
your iptables and kernel. See the output of shorewall show
capabilities to see if you have that match.

What is Port Knocking?

Port knocking is a technique whereby attempting to connect to port A
enables access to port B from that same host. For the example on which
this article is based, see http://www.soloport.com/iptables.html
which should be considered to be part of this documentation.

Implementing Port Knocking in Shorewall

In order to implement this solution, your iptables and kernel must
support the 'recent match' extension (see FAQ
42).

Attempting to connect to port 1601 disables SSH access (note
that in the article linked above, attempting to connect to port 1599
also disables access. This is an port scan defence as explained in the
article).

Note

You can use SSHKnock with DNAT on earlier releases provided
that you omit the ORIGDEST entry on the second SSHKnock rule. This
rule will be quite secure provided that you specify 'routefilter' on
your external interface and have NULL_ROUTE_RFC1918=Yes in
shorewall.conf.

For another way to implement Port Knocking, see the Manual Chain documentation.